Security news that informs and inspires

CISA Releases 5G Security Strategy


The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has released the National Strategy to Secure 5G for securely deploying 5G in the United States.

5G is making a lot of promises. The latest generation of cellular mobile communications is expected to provide near-instantaneous connectivity at higher data rates and low latency necessary to support technologies such as virtual and augmented reality, autonomous vehicles, and smart cities.

“5G networks and future communications technologies (e.g., SDN, network slicing, edge computing) will transform the way we communicate, introducing a vast array of new connections, capabilities, and services. However, these developments introduce significant risks that threaten national security, economic security, and impact other national and global interests,” CISA said.

Telecommunications providers around the world are gearing up for the change, but there are concerns 5G would create new security threats and exacerbate existing ones. CISA’s strategy guide is intended to provide recommendations on deploying secure and resilient 5G networks.

The National Strategy to Secure 5G outlined four defined lines of effort and five strategic initiatives to implement that strategy. The lines of effort are Facilitate Domestic 5G Rollout; Assess Risks to & Identify Core Security Principles of 5G Infrastructure; Address Risks to United States Economic and National Security During Development and Deployment of 5G Infrastructure Worldwide; and Promote Responsible Global Development and Deployment of 5G.

The five strategic initiatives are centered around developing 5G policy and standards by emphasizing security and resilience; increasing awareness on 5G supply chain risks and promoting security measures; securing existing infrastructure to support future 5G deployments; encouraging innovation to foster trusted 5G vendors; and analyzing use cases and sharing risk management strategies. Each initiative has its own set of objectives.

“Each of the strategic initiatives address critical risks to secure 5G deployment, such as physical security concerns, attempts by threat actors to influence the design and architecture of the network, vulnerabilities within the 5G supply chain, and an increased attack surface for malicious actors to exploit weaknesses,” CISA said.

The goal is to deploy 5G networks which are secure and resilient so that threat actors won’t be able to attack the network architecture. The problem is that for the short-term, 5G will be rolled out on non-standalone networks and will co-exist with older communications technologies. This means the legacy vulnerabilities associated with 4G LTE can still impact 5G networks, even though 5G was designed with some security defenses. The transition to standalone 5G networks should take place within several years.

Supply chain remains a big issue, since adversaries can weaken the network by injecting compromised components such as counterfeit parts and malicious software and hardware into the supply chain. Supply chain issues can also arise from poor designs, manufacturing processes, and maintenance procedures.

Whoever controls the equipment will control the networks, so it is an integral part of the national strategy to encourage innovation, to ensure there are enough vendors in the marketplace to have healthy competition.

“This defensive strategy is about the ‘nodes,’ the devices and their applications, in the network rather than merely the ‘links,’" William Hugh Murray, a member of the SANS Institute editorial board, said in the institute’s news summary. Much of the previous discussion of 5G networks were drive by the carriers, so the questions were always about connectivity. The strategy is shifting the responsibility to the developers and managers since the issues are about applications and devices. “These are the responsibility of the developers and managers of the applications, not the carriers.”